Skip to content

Commit 5b02557

Browse files
jcristaujcristau
committed
actions: fix scope check on mercurial (bug 1965754)
The action task's scopes are tied to the head repo.
1 parent d28ac99 commit 5b02557

File tree

2 files changed

+37
-12
lines changed

2 files changed

+37
-12
lines changed

src/taskgraph/actions/registry.py

Lines changed: 4 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -300,14 +300,12 @@ def sanity_check_task_scope(callback, parameters, graph_config):
300300
else:
301301
raise ValueError(f"No action with cb_name {callback}")
302302

303-
raw_url = parameters["base_repository"]
304-
parsed_url = parse(raw_url)
303+
parsed_base_url = parse(parameters["base_repository"])
304+
parsed_head_url = parse(parameters["head_repository"])
305305
action_scope = (
306-
f"assume:{parsed_url.taskcluster_role_prefix}:action:{action.permission}"
307-
)
308-
pr_action_scope = (
309-
f"assume:{parsed_url.taskcluster_role_prefix}:pr-action:{action.permission}"
306+
f"assume:{parsed_head_url.taskcluster_role_prefix}:action:{action.permission}"
310307
)
308+
pr_action_scope = f"assume:{parsed_base_url.taskcluster_role_prefix}:pr-action:{action.permission}"
311309

312310
# the scope should appear literally; no need for a satisfaction check. The use of
313311
# get_current_scopes here calls the auth service through the Taskcluster Proxy, giving

test/test_actions_registry.py

Lines changed: 33 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -55,37 +55,64 @@ def test_register_callback_action(request, monkeypatch, kwargs):
5555
("non-existing-action", {}, [], pytest.raises(ValueError)),
5656
(
5757
"retrigger",
58-
{"base_repository": "https://some.git.repo"},
58+
{
59+
"base_repository": "https://some.git.repo",
60+
"head_repository": "https://some.git.repo",
61+
},
5962
[],
6063
pytest.raises(InvalidRepoUrlError),
6164
),
6265
(
6366
"retrigger",
64-
{"base_repository": "https://hg.mozilla.org/try"},
67+
{
68+
"base_repository": "https://hg.mozilla.org/mozilla-unified",
69+
"head_repository": "https://hg.mozilla.org/try",
70+
},
6571
["unrelated:scope"],
6672
pytest.raises(ValueError),
6773
),
6874
(
6975
"retrigger",
70-
{"base_repository": "https://hg.mozilla.org/mozilla-central"},
76+
{
77+
"base_repository": "https://hg.mozilla.org/mozilla-unified",
78+
"head_repository": "https://hg.mozilla.org/try",
79+
},
80+
["assume:repo:hg.mozilla.org/try:action:generic"],
81+
does_not_raise(),
82+
),
83+
(
84+
"retrigger",
85+
{
86+
"base_repository": "https://hg.mozilla.org/mozilla-central",
87+
"head_repository": "https://hg.mozilla.org/mozilla-central",
88+
},
7189
["assume:repo:hg.mozilla.org/mozilla-central:action:generic"],
7290
does_not_raise(),
7391
),
7492
(
7593
"retrigger",
76-
{"base_repository": "https://github.com/taskcluster/taskgraph"},
94+
{
95+
"base_repository": "https://github.com/taskcluster/taskgraph",
96+
"head_repository": "https://github.com/taskcluster/taskgraph",
97+
},
7798
["assume:repo:github.com/taskcluster/taskgraph:action:generic"],
7899
does_not_raise(),
79100
),
80101
(
81102
"retrigger",
82-
{"base_repository": "git@github.com:mozilla-mobile/firefox-android.git"},
103+
{
104+
"base_repository": "git@github.com:mozilla-mobile/firefox-android.git",
105+
"head_repository": "git@github.com:mozilla-mobile/firefox-android.git",
106+
},
83107
["assume:repo:github.com/mozilla-mobile/firefox-android:action:generic"],
84108
does_not_raise(),
85109
),
86110
(
87111
"retrigger",
88-
{"base_repository": "git@github.com:mozilla-mobile/firefox-android.git"},
112+
{
113+
"base_repository": "git@github.com:mozilla-mobile/firefox-android.git",
114+
"head_repository": "git@github.com:someuser/firefox-android.git",
115+
},
89116
["assume:repo:github.com/mozilla-mobile/firefox-android:pr-action:generic"],
90117
does_not_raise(),
91118
),

0 commit comments

Comments
 (0)